Project Permissions Endpoint

Question

Project Permissions Endpoint

Closed this issue 5 years ago · 0 comments

This project permissions endpoint will be used to create a form that adds project permissions to a user and a form that adds permissions to a project.

Note: #104 should be merged before you start work on this.

The endpoint should be at:

POST /api/v1/projects/permissions

The request should look something like:

{ 
  "project_permissions": [
    { 
       "project_id": 1, 
       "user_uid": "2349-4983-3494-9343", 
       "actions": ["read_objects", "edit_objects"]
    },
    { 
       "project_id": 1, 
       "user_uid": "1111-4983-3494-9343", 
       "actions": ["read_objects"]
    },
  ]
}

One way to implement this would be that for each combination of project_id and user_id all the project permissions should be found and deleted. They can then be recreated based on the new information given.

Any user with the ability to 'manage users' should be able to add any permissions. If a user doesn't have that, they have to have 'manage' permission for all the projects they are trying to change.

This was how I started to implement this:

module Api
  module V1
    module Projects
      class PermissionsController < ApplicationApiController
        before_action :ensure_json_request
        before_action :current_user_permitted?

        def batch_update
          # TODO
        end

        private

          def batch_update_params
            params.permit(permissions: [:project_id, :user_uid, { actions: [] }])
          end

          def current_user_permitted?
            project_ids = batch_update_params[:permissions].map(&:project_id)
            can?(:manage, User) || can?(:manage, Project, id: project_ids) # Not sure this check is entirely correct, you may need to check can?(:manage, Project, id: project_ids[1]) for each project.
          end
      end
    end
  end
end